GDPR
Privacy Notice
This privacy notice, prepared in light of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "Regulation"), as well as related legislation, explains which personal data we collect in the context of providing services and goods to customers and how we process and protect such data.
Introduction
We are Kunsthalle Praha Services, s.r.o., with its registered office at Klárov 132/5 Prague 1 - Malá Strana 118 00, Company ID: 069 63 391, incorporated under file no. C 292173 in the Commercial Register maintained by the Municipal Court in Prague (hereinafter referred to as "we", "us", "our", etc.), and within the scope of our activities we process personal data of our customers primarily in the performance of mutual business or other relationships.
In relation to this processing, we act as a data controller and we ensure that we process all of your personal data in accordance with applicable law. The purpose of this document is to clarify which of your personal data we process, for what purposes, by what means and what rights you, as a data subject, have in connection with the processing of your personal data.
In connection with the processing of your personal data, you can contact us by e-mail: [office@kunsthallepraha.org].
For the purposes of this privacy notice, the data subject is our customer, if a natural person, or a representative, contact person or other natural person acting with us on behalf of the customer - a legal entity.
Which personal data we process
In the performance of our activities, we process various types of personal data, which can be broadly divided into the following categories:
- Identification data
E.g. academic title, name, surname, home/registered office address, mailing address, company number, tax identification number, date of birth.
- Contact data
E.g. telephone number, fax, e-mail, delivery address.
- Payment and billing data
E.g. bank account number, TIN, billing address.
- Data shared in communication
This data includes, without limitation, any personal data you provide to us in the context of any communication with you, as well as the content of such communication.
How we use personal data
We collect and use personal data for the purposes of:
- Contract execution and performance;
We use the above personal data for the performance of the contract entered into with you or the entities for which you act including, but not limited to the fulfilment of our contractual or payment obligations and communication in connection with the following relationships:
- execution of a purchase contract in our e-shop, both without registration and with the creation of a user account, order confirmation, confirmation of goods shipment / delivery, etc.;
- complaints/returns/refunds;
- newsletter of our Design shop based on your request for it, questionnaires;
- promotions (discounts) in our Design shop/e-shop and related communication;
- execution of the contract/order;
- processing of invoices and payments.
We process personal data for these purposes in the context of pre-contractual and contractual relationships and partly on the basis of our legitimate marketing interests. The provision of personal data is thus often necessary for the execution and performance of a contract, for the correct set-up of relationships with you or the entities you act for, as well as for the control and recording of these relationships. Without the provision of personal data, we are unable to enter into and perform the relevant contract or to pursue our legitimate interests.
- Fulfilling legal obligations
We also process your identification, contact, payment and billing data for the purpose of fulfilling our statutory and other legal obligations, e.g. in terms of taxation, accounting, mandatory reporting, etc. The processing of your personal data in such cases is necessary for the fulfilment of our legal obligations and we would not be able to properly fulfil our obligations without your provision of such data.
- Protecting our legitimate interests
We also process personal data in order to protect our legitimate interests, in particular to protect our property, assets, reputation and goodwill, to ensure the proper performance of our business and to secure the appropriate authorisations to dispose with the works entrusted to us. Furthermore, we are also entitled to use personal data on the basis of our legitimate interest to assert, enforce or defend our claims before courts, administrative authorities and other public bodies. Such processing is based on our legitimate interest and without the use of your personal data we would not be able to protect our interests properly.
How we share data
We only ever share personal data with trusted partners, in the way that the law allows us to do so and on the basis of appropriate contracts that ensure adequate protection.
- Our authorised processors
We provide personal data to authorised processors for the purposes of processing personal data on our behalf and based on our instructions. Such partners must observe strict confidentiality obligations in accordance with the contracts we have entered into with them.
Our processors are mainly providers of technical and IT services including, but not limited to, Google Analytics, Google Ads, Meta (Facebook) and the provider of our e-mailing solution.
- Other recipients
We share personal information with legal and natural persons, government authorities and public institutions when we believe in good faith that access, use, retention or disclosure of that personal information is reasonably necessary to:
- cooperate in the performance of a contractual relationship with you or an entity for which you are acting, or to exercise and enforce our rights and privileges or interests when it comes to disclosure to our sister organization Kunsthalle Praha, Endowment Fund and to fulfil its legitimate interests;
- comply with a legal regulation or an enforceable decision of a government authority;
- enforce the terms of contract, including investigating possible breaches;
- execute a procedure aimed at dealing with fraud or security incidents;
- protect against harm to the rights, property or safety of our Foundation, our clients or the public as required or permitted by law.
We always ensure that we do not provide more data than is necessary to achieve the relevant purpose of the processing.
How you can handle your personal data
As a data subject, you have the right to decide on the handling of your personal data. You may exercise the rights set out below at the address and in the ways set out above. We will endeavour to reply as soon as possible, but always within one month of receiving your request. In case of doubt, we may ask you for additional verification of your identity.
Under applicable law and the Regulation, you have the following rights:
- Right of access under Article 15 of the Regulation
- Right to rectification under Article 16 of the Regulation
- Right to erasure under Article 17 of the Regulation
- Right to restriction of processing under Article 18 of the Regulation
- Right to data portability under Article 20 of the Regulation
- Right to object to processing under Article 21 of the Regulation
- Right to lodge a complaint with the competent supervisory authority, which is the Office for Personal Data Protection in the Czech Republic
- Right to withdraw your consent under Article 7(3) of the Regulation
Where we get your personal data from
We obtain personal data directly from you, based on your communications (or communications from entities for which you act or with which you cooperate) and from joint communications.
How long and where we keep the data
We retain personal data for varying lengths of time depending on the purpose of processing. In general, however, we process personal data for a period of:
(a) the duration of our contractual relationship with you (or the person for whom you are acting);
(b) ten years from the end of the tax year in which the transaction took place, for the purposes of meeting our legal obligations under the tax legislation;
(c) up to ten years from the end of the financial year to which the documents relate for the purposes of meeting our legal obligations under accounting regulations;
(d) until your consent is withdrawn if the processing is based on consent and we have no other legal basis for processing your personal data;
(e) until you object to processing where your rights and interests override our legitimate interests.
After the expiration of the aforementioned time limits, we are only entitled to process personal data for eligible purposes, for the protection of our rights and property (i.e. generally for the duration of the relevant limitation period) or for special purposes such as archiving or statistical reporting.
We only store personal data on the Foundation's secure servers, and in properly secured premises or with our trusted partners when in printed form.
Amendments to this document
We are entitled to modify or supplement the wording of this document in any way, in particular to incorporate legislative changes or changes in the purposes and means of processing. However, we will not limit your rights under this document or under applicable law. In the event that there are changes to this document that may affect your rights, we will notify you in an appropriate manner well in advance.
In addition to this document, we may also inform you of certain other or additional ways and policies for processing your personal data through separate announcements, notices or consents.
Cookies